search

apache / cordova-ios

Apache Cordova iOS
https://cordova.apache.org/
Apache License 2.0
2.15k stars 987 forks source link

The defined scheme is ignored #1283

Closed El-Tommy closed 1 year ago

El-Tommy commented 1 year ago

Bug Report

The https scheme was defined in the config.xml, along with the hostname com.example.myapp, but all requests generated by the app are blocked by CORS because it presents itself as app://com.example.myapp.

The expected behavior was for it to present itself as https://com.example.myapp, as it does on Cordova Android.

<preference name="scheme" value="https" />
<preference name="hostname" value="com.example.myapp" />
breautek commented 1 year ago

This is limitation of the iOS SDK.

It is a programmer error to register a handler for a scheme WebKit already handles, such as https, and this method raises an NSInvalidArgumentException if you try to do so.

https://developer.apple.com/documentation/webkit/wkwebviewconfiguration/2875766-seturlschemehandler?language=objc

iOS reserves the right to use any well known scheme. There is no explicit list for what iOS reserves, probably because the list can be changed, but you can count that any standardised protocol is likely included, such as:

On the contrary, Android enforces the scheme to be either http or https, so it is impossible to make both platforms consistent in this regard. The server must be able to handle dynamic origins for their CORS compliance.

This can be done by checking the request's Origin header, and returning the value of the Origin header as the response's Access-Control-Allow-Origin header, if the value is acceptable.

Closing as won't fix.